Symantec in another bogus digital certs blunder

Symantec is again under fire for issuing a large number of bogus SSL/TLS digital certificates, a blunder that threatens the integrity of encrypted and authenticated internet data traffic flows.

The issue was reported by the owner of certificate vendor SSLMate, Andrew Ayer, through Google's certificate transparency site. Wrongly issued certificates can be used to impersonate hosts on the internet in web browsers and other applications such as email clients and servers.

Ayer noticed that in July last year, Symantec issued three certificates for example.com, assigned to the Internet Corporation for Assigned Names and Numbers (ICANN), which told him that it had not authorised the credentials.

Over 100 certificates were wrongly issued between July 2016 and January this year by Symantec certificate authorities (CAs) for different domains, according to the Google log.

Symantec's public key infrastructure policy manager Steven Medin confirmed the mistake, and blamed one of the company's WebTrust audited partners for the error.

Medin said the wrongly issued certificates had all been revoked, and that Symantec would continue to investigate the issue.

In 2015, Symantec and its Thawte subsidiary were sharply criticised by Google for wrongly issuing certificates for the search engine giant's domains. Symantec was found to have issued 164 fake certificates for existing domains, and thousands for others that had never been registered.

Symantec subsequently fired the staffers responsible. 

Google also insisted on a third-party security audit and a point-in-time assessment to ensure that Symantec was fit to be a trusted certificate authority.

Failure to comply with the demands would have resulted in Google's popular Chrome web browser no longer trusting Symantec digital credentials. After the 2015 certificate blunder, Symantec was forced by Google to record all credentials issued by its CAs.